------------------------------------------------------------ revno: 13394 revision-id: squid3@treenet.co.nz-20140503182214-rvqvg86mx3ky1poz parent: chtsanti@users.sourceforge.net-20140503105356-o7xoklwov0wy8q37 committer: Amos Jeffries branch nick: trunk timestamp: Sat 2014-05-03 12:22:14 -0600 message: Release Notes for Squid-3.5 ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20140503182214-rvqvg86mx3ky1poz # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: c490682e1f1b8f85a740a68205c8c14b11784e2d # timestamp: 2014-05-03 18:55:19 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # base_revision_id: chtsanti@users.sourceforge.net-20140503105356-\ # o7xoklwov0wy8q37 # # Begin patch === modified file 'doc/release-notes/release-3.5.sgml' --- doc/release-notes/release-3.5.sgml 2014-03-30 06:41:27 +0000 +++ doc/release-notes/release-3.5.sgml 2014-05-03 18:22:14 +0000 @@ -40,6 +40,9 @@ Support libecap v1.0 Authentication helper query extensions + Support named services + Upgraded squidclient tool + Helper support for concurrency channels Most user-facing changes are reflected in squid.conf (see below). @@ -71,6 +74,93 @@ will send any meaningful detail. +Support named services +

Details at . +

Terminology details at . + +

The command line option -n assigns a name to the Squid service + instance to be used as a unique identifier for all SMP processes run as + part of that instance. This allows multiple instances of Squid service to + be run on a single machine without background SMP systems such as shared + memory and inter-process communication becoming confused or requiring + additional configuration. + +

A service name is always used. When the -n option is missing + from the command line the default service name is squid. + +

When multiple instances are being run the -n service name is + required to target all other options such as -z or -k + commands at the correct service. + +

The squid.conf macro ${service_name} is added to provide the service name + of the process parsing the config. + + +Upgraded squidclient tool +

The squidclient has begun the process of upgrading to support + protocols other than HTTP. + +Debug levels +

The tool displays the server response message on STDOUT unless the -q + command line option is used. Error messages will be output to STDERR. + All other possible output is considered debug and output to STDERR using + a range of debug verbosity levels (currently 1, 2 and 3). + +

When the -v command line option is used debugging is enabled. + The level of debug display is raised for each repetition of the option. + +PING +

When --ping is given the tool will send its message repeatedly + using whichever protocol that message has been formatted for. + Optional parameters to limit the number of pings and their frequency are + available. + +

Older tool versions also provide this feature but require the loop count + parameter to be set to enable use of the feature. + +HTTPS +

When Squid is built with the GnuTLS encryption library the tool is able + to open TLS (or SSL/3.0) connections to servers. + +

The --https option enables TLS using default values. + +

The --cert option specifies a fiel containing X.509 client + certificate and private key in PEM format to be loaded for use. Multiple + certificates are supported and the option may be used multiple times to + load certificates. + The default is not to use a client certificate. + +

The --params option specifies a library specific set of parameters + to be sent to the library for configuring the security context. + See for + available GnuTLS parameters. + +

The --trusted-ca option specifies a file in PEM format containing + one or more Certificate Authority (CA) certificates used to verify the + remote server. This option may be used multiple times to load additional + CA certificate lists. + The default is not to use any CA, nor trust any server. + +

Anonymous TLS (using non-authenticated Diffi-Hellman or Elliptic Curve + encryption) is available with the --anonymous-tls option. + The default is to use X.509 certificate encryption instead. + +

When performing TLS/SSL server certificates are always verified, the + results shown at debug level 3. The encrypted type is displayed at debug + level 2 and the connection is used to send and receive the messages + regardless of verification results. + + +Helper support for concurrency channels +

Helper concurrency greatly reduces the communication lag between Squid + and its helpers allowing faster transaction speeds even on sequential + helpers. + +

The storeid_file_rewrite helper has been updated to support + concurrency channels. It will auto-detect the channel-ID field + on its input line and will produce the appropriate response format. + + Changes to squid.conf since Squid-3.4

There have been changes to Squid's configuration file since Squid-3.4. @@ -104,10 +194,35 @@ based on ACL selection. ACL can be based on client request or cached response details. + sslproxy_session_cache_size +

New directive which sets the cache size to use for TLS/SSL sessions cache. + + sslproxy_session_ttl +

New directive to specify the time in seconds the TLS/SSL session is valid. + + store_id_extras +

New directive to send additional lookup parameters to the configured + Store-ID helper program. It takes a string which may contain logformat %macros. +

The Store-ID helper input format is now: + + [channel-ID] url [extras] + +

The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" + store_miss

New configuration directive to enable/disable caching of MISS responses. ACL can be based on any request or response details. + url_rewrite_extras +

New directive to send additional lookup parameters to the configured + URL-rewriter/redirector helper program. It takes a string which may + contain logformat %macros. +

The url rewrite and redirector helper input format is now: + + [channel-ID] url [extras] + +

The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" + Changes to existing tags

New parameter key_extras to send additional parameters to the authentication helper. + cache_dir +

New support for larger than 32KB objects in both rock type + cache and shared memory cache. +

New slot-size=N option for rock cache to specify the database + slot/page size when small slot sizes are desired. The default and + maximum slot size is 32KB. +

Removal of old rock cache dir followed by squid -z is required + when upgrading from earlier versions of Squid. + + cache_peer +

New standby=N option to retain a set of N open and unused + connections to the peer at virtually all times to reduce TCP handshake + delays. +

These connections differ from HTTP persistent connections in that they + have not been used for HTTP messaging (and may never be). They may be + turned into persistent connections after their first use subject to the + same keep-alive critera any HTTP connection is checked for. + forward_max_tries

Default value increased to 25 destinations/em> to allow better contact and IPv4 failover with domains using long lists of IPv6 addresses. + ftp_epsv +

Converted into an Access List with allow/deny value driven by ACLs + using Squid standard first line wins matching basis. +

The old values of on and off imply allow all + and deny all respectively and are now deprecated. + Do not combine use of on/off values with ACL configuration. + http_port

protocol= option altered to accept protocol version details. Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 @@ -146,13 +286,19 @@

cache_dir -

COSS storage type is formally replaced by Rosk storage type. +

COSS storage type is formally replaced by Rock storage type. cache_dns_program

DNS external helper interface has been removed. It was no longer able to provide high performance service and the internal DNS client library with multicast DNS cover all modern use-cases. + cache_peer +

idle= replaced by standby=. +

NOTE that standby connections are started earlier and available in + more circumstances than squid-2 idle connections were. They are + also spread over all IPs of the peer. + dns_children

DNS external helper interface has been removed. @@ -177,6 +323,11 @@

There are no new ./configure options in Squid-3.5. + --without-gnutls +

New option to explicitly disable use of GnuTLS encryption library. + Use of this library is auto-enabled if v3.1.5 or later is available. +

It is currently only used by the squidclient tool. + Changes to existing options

Not yet ported from 2.6 cache_peer -

idle= not yet ported from 2.7

monitorinterval= not yet ported from 2.6

monitorsize= not yet ported from 2.6

monitortimeout= not yet ported from 2.6